In the Shadow of SolarWinds, in-toto Releases its First Major Version

The recent SolarWinds hack in which companies, government agencies, and academic institutions suffered significant data breaches after malware was slipped into a software update, is a sobering reminder that though updates are necessary, they are also always fraught with risk. The full impact of the attack, which is known to have affected computer systems within the U.S. Departments of Defense, State, Homeland Security, Treasury, Commerce, and Energy, is still to be tallied.

Though attacks on software update systems are not a new phenomena, the introduction of what has been dubbed the Sunburst virus has demonstrated just how devastating the consequences can be if updates are corrupted with malware. Defending against future hacks of this nature requires a security system that can assure that all the steps performed on a piece of software throughout its design and development lifecycle were completed in the right way by the right people.

As the fallout from SolarWinds was just coming to light, in-toto, a free, easy-to-use framework that cryptographically ensures the integrity of the software supply chain, marked a significant milestone in its project history. On November 19, 2020, following five years of research and development, and adoption or integration into several major open source software projects, in-toto released its first major version (V.1.1.0). The release signifies that in-toto has reached a level of maturity where its developers can ensure its quality, and guarantee its security to potential adopters.

Initiated in 2016 by Prof. Santiago Torres-Arias and Prof. Justin Cappos in the Secure Systems Laboratory at NYU’s Tandon School of Engineering, in-toto provides transparency as to what steps are performed on a piece of software throughout its design and development lifecycle. This information is crucial to security as it addresses an inherent problem in software development processes: their decentralized nature. “As it moves from development to testing to packaging, and finally to distribution, a piece of software passes through a number of hands,” notes Torres-Arias, who leads the in-toto project and did his dissertation on the topic. He adds, “By requiring that each step in this chain conform to the layout specified by the developer, it confirms to the end-user that the product has not been altered for malicious purposes, such as by adding backdoors in the source code.”

On a simple level, in-toto can be explained as follows: A project owner creates a layout describing the steps that every functionary—be it an individual or an automated entity— must perform, as well as the specific inspection steps that must be performed on the client’s machine. After the step is completed, the functionary records link metadata about the action specifying what was done, when, and by who. Once all functionaries have completed their task, both the metadata and the files are aggregated into a final product. Lastly, when the end-user receives the product, he or she will perform a last verification to ensure all steps were performed correctly. For Dr. Trishank Kuppusamy, a 2017 Ph.D. graduate of NYU who worked on the project in its early days, and is now Staff Security Engineer at one of the project’s adopters, Datadog, what separates in-toto from other security systems is that “it has been designed against a very strong threat model that includes nation-state attackers at the top. Together with its sibling project The Update Framework (TUF), it is the only system that I know of that offers end-to-end security anywhere between developers and end-users.” He adds that, “At Datadog, we chose to use TUF and in-toto to automatically yet securely deliver new versions of our Agent Integrations. As far as we know, this is the first publicly-discussed CI/CD pipeline in the industry that provides such end-to-end security.” As noted by BoxBoat on December 14, “DataDog’s implementation of in-toto in their pipelines would likely have stopped the SolarWinds attack dead in its tracks.” in-toto has collaborated with open source communities such as Git, Docker, and OpenSUSE. It is also part of the Cloud Native Application Bundle (CNAB), an open source project that facilitates the bundling, installing and managing of container-native applications. Ralph Squillace, Principal Program Manager for Microsoft Azure Computer’s Application Platform team and a contributor to CNAB, noted that in-toto was picked for the specification’s supply chain attestation approach in v1.0 “precisely because it was open-source and applied precisely to the problems of supply chain confidence the community expects distributed applications to have in the real world.” He adds that, “there are many possible ways of handling the problem, but in-toto can be used anywhere and is developed in public by an engaged community. We hope to expand its usage and support it in our work going forward.”

In addition to Prof. Torres-Arias, who graduated from Tandon in 2020 and is now an assistant professor of electrical and computer engineering at Purdue University, the in-toto research team includes developer Lukas Pühringer, Ph.D. student Aditya Sirish, and undergraduate students Yuanrui Chen, Isha Vipul Dave, Kristel Fung, Cindy Kim, and Benjamin Wu, all from the Secure Systems Laboratory at NYU; and doctoral students Hammad Afzali Nanize and Sangat Vaidya, together with Professor Reza Curtmola, who is co-director of the Cybersecurity Research Center at New Jersey Institute of Technology. in-toto has also benefited from reviews and contributions from members of the open source community, who have not only provided critiques on design decisions, but who have also shared lessons learned from their own deployments of the framework.

With the release of 1.0.0, both the research team and this growing user community look forward to the framework’s ability to reduce malicious interference in the software lifecycle. “The release of a stable in-toto 1.0.0 will hopefully encourage more software projects to start securing their supply chains yesterday rather than tomorrow,” Kuppusamy notes. “It is an important milestone because both the specification and the reference implementation have been tested in production for at least the past three years.”